qemu: domain: Forbid storage with old QCOW2 encryption

The encryption was buggy and qemu actually dropped it upstream. Forbid it for all versions since it would cause other problems too. Problems with the old encryption include weak crypto, corruption of images with blockjobs and a lot of usability problems. This requires changing of the encryption type for the encrypted disk tests. Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2025-02-25 18:55:26 -06:00 · 2018-05-22 14:53:06 +02:00
parent c495905bff
commit c4eedd7930
10 changed files with 37 additions and 12 deletions
--- a/tests/qemuxml2argvdata/encrypted-disk-usage.args
+++ b/tests/qemuxml2argvdata/encrypted-disk-usage.args
@@ -7,6 +7,8 @@ QEMU_AUDIO_DRV=none \
 /usr/bin/qemu-system-i686 \
 -name encryptdisk \
 -S \
+-object secret,id=masterKey0,format=raw,\
+file=/tmp/lib/domain--1-encryptdisk/master-key.aes \
 -machine pc,accel=tcg,usb=off,dump-guest-core=off \
 -m 1024 \
 -smp 1,sockets=1,cores=1,threads=1 \
@@ -22,7 +24,11 @@ path=/tmp/lib/domain--1-encryptdisk/monitor.sock,server,nowait \
 -no-acpi \
 -boot c \
 -usb \
-drive file=/storage/guest_disks/encryptdisk,format=qcow2,if=none,\
+-object secret,id=virtio-disk0-luks-secret0,\
+data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+-drive file=/storage/guest_disks/encryptdisk,encrypt.format=luks,\
+encrypt.key-secret=virtio-disk0-luks-secret0,format=qcow2,if=none,\
 id=drive-virtio-disk0 \
 -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
 id=virtio-disk0 \
--- a/tests/qemuxml2argvdata/encrypted-disk-usage.xml
+++ b/tests/qemuxml2argvdata/encrypted-disk-usage.xml
@@ -18,7 +18,7 @@
      <driver name='qemu' type='qcow2'/>
      <source file='/storage/guest_disks/encryptdisk'/>
      <target dev='vda' bus='virtio'/>
-      <encryption format='qcow'>
+      <encryption format='luks'>
        <secret type='passphrase' usage='/storage/guest_disks/encryptdisk'/>
      </encryption>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
--- a/tests/qemuxml2argvdata/encrypted-disk.args
+++ b/tests/qemuxml2argvdata/encrypted-disk.args
@@ -7,6 +7,8 @@ QEMU_AUDIO_DRV=none \
 /usr/bin/qemu-system-i686 \
 -name encryptdisk \
 -S \
+-object secret,id=masterKey0,format=raw,\
+file=/tmp/lib/domain--1-encryptdisk/master-key.aes \
 -machine pc,accel=tcg,usb=off,dump-guest-core=off \
 -m 1024 \
 -smp 1,sockets=1,cores=1,threads=1 \
@@ -22,7 +24,11 @@ path=/tmp/lib/domain--1-encryptdisk/monitor.sock,server,nowait \
 -no-acpi \
 -boot c \
 -usb \
-drive file=/storage/guest_disks/encryptdisk,format=qcow2,if=none,\
+-object secret,id=virtio-disk0-luks-secret0,\
+data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
+keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
+-drive file=/storage/guest_disks/encryptdisk,encrypt.format=luks,\
+encrypt.key-secret=virtio-disk0-luks-secret0,format=qcow2,if=none,\
 id=drive-virtio-disk0 \
 -device virtio-blk-pci,bus=pci.0,addr=0x4,drive=drive-virtio-disk0,\
 id=virtio-disk0 \
--- a/tests/qemuxml2argvdata/encrypted-disk.xml
+++ b/tests/qemuxml2argvdata/encrypted-disk.xml
@@ -18,7 +18,7 @@
      <driver name='qemu' type='qcow2'/>
      <source file='/storage/guest_disks/encryptdisk'/>
      <target dev='vda' bus='virtio'/>
-      <encryption format='qcow'>
+      <encryption format='luks'>
        <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
      </encryption>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -1651,8 +1651,8 @@ mymain(void)
    DO_TEST("cpu-tsc-frequency", QEMU_CAPS_KVM);
    qemuTestSetHostCPU(driver.caps, NULL);

-    DO_TEST("encrypted-disk", NONE);
-    DO_TEST("encrypted-disk-usage", NONE);
+    DO_TEST("encrypted-disk", QEMU_CAPS_QCOW2_LUKS, QEMU_CAPS_OBJECT_SECRET);
+    DO_TEST("encrypted-disk-usage", QEMU_CAPS_QCOW2_LUKS, QEMU_CAPS_OBJECT_SECRET);
 # ifdef WITH_GNUTLS
    DO_TEST("luks-disks", QEMU_CAPS_OBJECT_SECRET);
    DO_TEST("luks-disks-source", QEMU_CAPS_OBJECT_SECRET);
--- a/tests/qemuxml2xmloutdata/encrypted-disk.xml
+++ b/tests/qemuxml2xmloutdata/encrypted-disk.xml
@@ -18,7 +18,7 @@
      <driver name='qemu' type='qcow2'/>
      <source file='/storage/guest_disks/encryptdisk'/>
      <target dev='vda' bus='virtio'/>
-      <encryption format='qcow'>
+      <encryption format='luks'>
        <secret type='passphrase' uuid='0a81f5b2-8403-7b23-c8d6-21ccc2f80d6f'/>
      </encryption>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -482,8 +482,8 @@ mymain(void)
    DO_TEST("pci-rom-disabled-invalid", NONE);
    DO_TEST("pci-serial-dev-chardev", NONE);

-    DO_TEST("encrypted-disk", NONE);
-    DO_TEST("encrypted-disk-usage", NONE);
+    DO_TEST("encrypted-disk", QEMU_CAPS_QCOW2_LUKS);
+    DO_TEST("encrypted-disk-usage", QEMU_CAPS_QCOW2_LUKS);
    DO_TEST("luks-disks", NONE);
    DO_TEST("luks-disks-source", NONE);
    DO_TEST("memtune", NONE);